GP Preference - Local Admin Passwords

  • 215 Views
  • Last Post 25 January 2016
amalchev posted this 20 January 2016

Hello All, I found that there is a vulnerability in GPP (MS14-025) affecting local admins. Microsoft has a LAPS tool that I will test but would like to know about your opinion. How do you manage local admin passwords? My goals are:
- password to be changed regularly;
- local admins should not be disabled;
- domain admins should know the passwords for the local admin accounts;
- not to use PowerShell script that keeps the passwords in plain text. Thanks in advance for your help! Best Regards,
Atanas Malchev

Order By: Standard | Newest | Votes
Mahdi posted this 20 January 2016

If you do not want to use GPP for managing local accounts, LAPS can be used to manage your local admin passwords. What is does is to change the local admin account and place the account password in a confidential attribute.








If you ask me, I have to inform you that I still use GPP.








Mahdi Tehrani



www.mahditehrani.ir




















show









Hello All,

I found that there is a vulnerability in GPP (MS14-025) affecting local admins.

Microsoft has a LAPS tool that I will test but would like to know about your opinion.

How do you manage local admin passwords?

My goals are:


- password to be changed regularly;


- local admins should not be disabled;


- domain admins should know the passwords for the local admin accounts;


- not to use PowerShell script that keeps the passwords in plain text.

Thanks in advance for your help!

Best Regards,


Atanas Malchev

amalchev posted this 20 January 2016

Thanks for the prompt reply!

I will play with LAPS in a test environment later today. Just want to check, if there is anything better and if there are any known issues/limitations.

Thanks!

Best regards,


Atanas Malchev

show

pbbergs posted this 20 January 2016

Control of the password change is set in increments of daysYou can control 1 local admin account on a box and it doesn’t need to be named  administratorDomain admins will be able to read the password and anyone else that is granted the right to read the confidential attribute on the computer object                http://blogs.msdn.com/b/laps/archive/2015/06/01/laps-and-password-storage-in-clear-text-in-ad.aspxPowerShell isn’t needed, it is managed with a GPO(s)  Thank You Paul Bergsonpbbergs@xxxxxxxxxxxxxxxx Opinions expressed are mine and not my employer 

show

amalchev posted this 20 January 2016

Thanks Paul!

Does anyone have experience with LAPS and restored VM from snapshot?

Thanks!

Best regards,


Atanas Malchev

show

pbbergs posted this 20 January 2016

What does that mean?  If you restore a computer object prior to the last changed local admin password then you will have to go through a recovery process similar to anytime a password is lost.   DaRT (Locksmith) would be one option  Thank You Paul Bergsonpbbergs@xxxxxxxxxxxxxxxx Opinions expressed are mine and not my employer 

show

kennedyjim posted this 20 January 2016

Been using LAPS ever since it went mainstream.  It implemented in about an hour, worked perfectly ever since.  I am a huge fan. It meets all of your goals perfectly

and we have not experienced any downsides.  Our desktop techs have access to the passwords of course, but that is it…just them an me.

 

show

kennedyjim posted this 20 January 2016

No direct experience, but if the password was reset after the snapshot….so you restored an old password… in the LAPS gui control panel you can set a new expiration

time for a machine.  So set it to super fast.  That will generate a new password.

 

Assuming the VM functions without knowing the admin password you should be able to pull that off in a few minutes.

 

show

pbbergs posted this 20 January 2016

This is true as long as the machine account has access to it’s computer object (Able to authenticate to the domain), if not then you would have to follow as previously mentioned.  LAPs password management for each account is controlled by the local machine.  Thank You Paul Bergsonpbbergs@xxxxxxxxxxxxxxxx Opinions expressed are mine and not my employer 

show

jeremyts posted this 20 January 2016

The Advanced version that encrypts the password is now freely available at

http://www.laps-e.net

 

There is also password history.

 

It’s an awesome tool. It Should be part of every Active Directory environment by default.

 

Cheers,

Jeremy

 

show

kurtbuff posted this 20 January 2016

LAPS will help with all of those goals - we've implemented it, and are
quite happy with it.

Kurt

show

kurtbuff posted this 20 January 2016

That's very cool - I hadn't seen that before.

Kurt

show

Mahdi posted this 20 January 2016

Just to mention we implemented LAPS once and there was a problem, our builtin domain administrator account got infected with LAPS. It was strange. Any thoughts on that?










Sent from my BlackBerry 10 smartphone.















show









LAPS will help with all of those goals - we've implemented it, and are


quite happy with it.



Kurt



On Wed, Jan 20, 2016 at 1:51 AM, Atanas Malchev <amalchev@xxxxxxxxxxxxxxxx> wrote:


> Hello All,


>


> I found that there is a vulnerability in GPP (MS14-025) affecting local


> admins.


>


> Microsoft has a LAPS tool that I will test but would like to know about your


> opinion.


>


> How do you manage local admin passwords?


>


> My goals are:


> - password to be changed regularly;


> - local admins should not be disabled;


> - domain admins should know the passwords for the local admin accounts;


> - not to use PowerShell script that keeps the passwords in plain text.


>


> Thanks in advance for your help!


>


> Best Regards,


> Atanas Malchev


Forum info: http://www.activedir.org


Problems unsubscribing? Email admin@xxxxxxxxxxxxxxxx

pbbergs posted this 20 January 2016

You must have misinterpreted your findings.  LAPS doesn’t update domain user accounts.  If you have problems you can open up a support case with Microsoft. Thank You Paul Bergsonpbbergs@xxxxxxxxxxxxxxxx Opinions expressed are mine and not my employer

show

kurtbuff posted this 20 January 2016

+1

show

rwilper posted this 20 January 2016

The older (and slightly more capable) "SLAM" tool came with a warning to make sure that the GPOs never were allowed to apply to Domain Controllers to prevent this exact issue.

-Ross

show

pbbergs posted this 20 January 2016

If the gpo were to be applied against a DC and client side extensions were running on the DC, then yes the Built-In administrator account would be changed.
 
Thank You
 
Paul Bergson
pbbergs@xxxxxxxxxxxxxxxx
Opinions expressed are mine and not my employer
 

show

Bharathian posted this 21 January 2016

Hi,

We have been thinking of implementing this LAPS, but have 1 constraint. We have delegated the helpdesk engineers to create/delete computers to the respective computer OUs.

And due to our internal policy the users may get transferred to the remote sites (without domain) without informing the IT. In that case, the helpdesk engineer will delete the computer account which is not available in their location.

The transferred users will only recognize when they want to install something and the system will prompt for admin password. In that case the computer account would have got deleted from AD, and recovery of password will not be possible.

Any ideas in this..

Regards,

Bharathi.AN

show

ElasticSky posted this 21 January 2016

Hi,

I'm sure others will chime in here but the main thing to remember is this is for managing the "Local Administrator" accounts password.

Ignoring the impact of a removing a computer account from AD and what that will do for the compuer and the users logging on, if they get prompted for admin credentials then any domain account with local administrative rights will suffice. The local administrator password shouldn't be getting used for this.

If you are giving your users the local administrative password to install software then we have a completely different discussion on our hands ;)

In regards to stopping helpdesk engineers deleting computer accounts from AD that is simple delegating the appropriate rights or rather removing their ability to delete computer accounts :)

Kind regards,

Glen

show

Bharathian posted this 21 January 2016

Thanks Glen for your input.

But the users are on remote sites where the domain is not available, so the domain account won't work in that case.

And the access for deletion is given, in order for them to clean up their OU's and to retain the same computer name in case of OS is reinstalled, so they will delete the existing and create the new computer object in the same name.

Regards,

Bharathi.AN

show

kurtbuff posted this 21 January 2016

I see a couple of alternatives:

o- Schedule a script to gather local admin password regularly and put
it on a secure share, where the helpdesk can get to at will

o- Don't delete the computer account right away - have it put in a
separate OU, where it will be deleted automatically after some period
of time, and perhaps disable the account.That way, the administrator
password is still available

There are probably other approaches that would work also - these just
came to mind after a moment's thought.

Kurt

show

Show More Posts
Close